ISO / IEC 27000 series

from Wikipedia, the free encyclopedia

The ISO / IEC 27000 series (also ISO / IEC 27000 family or ISO27k for short ) is a series of standards for information security. The more than 20 standards (as of June 2013) are published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) .

Historical development

As part of the standardization, the collaboration between ISO and IEC decided to combine various information security standards under the number range 2700x Information technology - Security techniques . The German part of this standardization work is supervised by DIN NIA-01-27 IT security procedure. The ISO / IEC 15408 ( Common Criteria ) standard exists for the evaluation and certification of IT products and systems .

  • ISO / IEC 27000 - Information security management systems - Overview and vocabulary
  • ISO / IEC 27001 - Information security management systems - Requirements; emerged from Part 2 of the British Standard BS 7799
  • ISO / IEC 27002 - Code of practice for information security management; emerged from Part 1 of the British Standard BS 7799 and ISO / IEC 17799 ;
  • ISO / IEC 27003 - Information security management systems - Implementation Guidelines
  • ISO / IEC 27004 - Information security management measurements
  • ISO / IEC 27005 - Information security risk management

Part 2 of BS 7799 has become the ISO / IEC 27001: 2005 standard. It specifies the requirements for an Information Security Management System (ISMS). Within the ISO / IEC 2700x family, ISO / IEC 27001 can be used to understand the degree of compliance. Companies and authorities can have their ISMS assessed and certified using ISO / IEC 27001.

ISO / IEC 27002: 2005 listed requirements for risk analysis and management (Section 4) and a total of 123 control points in twelve task areas, some of which contain very specific instructions (Implementation guidance) (Section 5–15). Since the new standard is technology-neutral, these instructions are on the conceptual level and must be broken down into organizational, operational and technical measures for the specific application. In the area of ​​technical security measures, ISO / IEC 27002: 2005 can be meaningfully supplemented by the IT-Grundschutz Catalogs of the Federal Office for Information Security .

While many standards originally developed independently of one another in linguistic, geographical and institutional terms, the norms are increasingly converging. Since the ISO / IEC 17799 standard was published in 2000, the issue of compatibility of the standards with one another has shaped further development. The IT-Grundschutz is compatible with the ISO / IEC 27001 standard. Since 2012, all ISO standards have been adapted to a new structure for management standards called Annex SL . With this, the ISO aims to better link the standards with one another. The introduction and use of several ISO standards such as ISO / IEC 27001 and ISO / IEC 20000 side by side should be simplified.

The ISO / IEC standards for information security are to be successively expanded: in August 2013, 21 standards were published and a total of at least 31 standards are planned.

Norms

  • ISO / IEC 27000 contains terms and definitions that are used in the ISO / IEC 27000 series of standards.
  • ISO / IEC 27001 contains the requirements for an ISMS.
  • ISO / IEC 27002 contains recommendations for various control mechanisms for information security.
    On June 15, 2005 the guide ISO / IEC 17799: 2005 Information technology - Security techniques - Code of practice for information security management was published, which is based on the BS 7799-1 standard. With reference to ISO / IEC JTC 1 / SC 27 N5981 Secretariat ISO / IEC JTC 1 / SC 27 - Deutsches Institut für Normung eV , the standard has been renamed from ISO / IEC 17799: 2005 to ISO / IEC 27002: 2005 since summer 2007.
  • ISO / IEC 27003 contains a guide for the implementation of ISO / IEC 27001 (published in February 2010).
  • ISO FCD 27004 "Information Security Management Measurement" (published in September 2012).
  • ISO FCD 27005 is based on BS 7799-3: 2006 and deals with the subject of IS risk management (published in June 2008).
  • ISO / IEC 27006 Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems (issued on March 1, 2007) regulates the criteria according to which bodies must work, the information security and management systems according to ISO / IEC 27001 want to audit and certify.
  • ISO / IEC 27007 Information technology - Security techniques - Guidelines for information security management systems auditing .
  • ISO / IEC TR 27008 Information technology - Security techniques - Guidance for auditors on information security management systems controls .

Technical sub-standards of ISO / IEC 27002 are being developed as ISO / IEC 27010 to ISO / IEC 27019:

  • ISO / IEC 27010: Information security management for inter-sector and inter-organizational communications (published in April 2012, updated November 2015)
  • ISO / IEC 27011: Information security management guidelines for telecommunications organizations based on ISO / IEC 27002 (issued December 2008, updated December 2016)
  • ISO / IEC 27013: Guideline on the integrated implementation of ISO / IEC 20000-1 and ISO / IEC 27001 (published in July 2012, revised December 2015)
  • ISO / IEC 27014: Governance of information security (issued May 2013)
  • ISO / IEC TR 27015: Information security management guidelines for financial services (issued December 2012, withdrawn)
  • ISO / IEC TR 27016: Auditing and Reviews
  • ISO / IEC 27017: Security techniques - Code of practice for information security controls for cloud computing services
  • ISO / IEC 27018: Security techniques - Code of practice for controls to protect personally identifiable information processed in public cloud computing services
  • ISO / IEC 27019: Information security management guidelines based on ISO / IEC 27002 for process control systems specific to the energy industry (translation DIN EN ISO / IEC 27019: 2020-08).

It is also planned that the technical areas of information security should be covered in ISO / IEC 27030 to ISO / IEC 27044 , e.g. B. cyber security, intrusion detection and trusted third party authentication.

  • ISO / IEC 27031 business continuity
  • ISO / IEC 27032 Guidelines for Cybersecurity (issued July 2012)
  • ISO / IEC 27033 revision of ISO 18028 and comprises seven sub- parts :
    • ISO / IEC 27033-1 Guidelines for network security
    • ISO / IEC 27033-2 Guidelines for the design and implementation of network
    • ISO / IEC 27033-3 Reference networking scenarios - Threats, design techniques and control issues (issued December 2010)
    • ISO / IEC 27033-4 Securing communications between networks using security gateways - Risks, design techniques and control issues
    • ISO / IEC 27033-5 Securing virtual private networks - Risks, design techniques and control issues
    • ISO / IEC 27033-6 Securing communications across networks using Virtual Private Networks
    • ISO / IEC 27033-7 Guidelines for the design and implementation of network security
  • ISO / IEC 27034 Guidelines for application security
  • ISO / IEC 27035 Information security incident management
  • EN ISO 27799 Safety management in health care when using ISO / IEC 27002

Training and certification

At the level of an organization, the information security management system can be checked and certified against the normative part ISO / IEC 27001 . There are various training and certification schemes for individuals. These are designed by different certification companies, see list of IT certificates .

See also

Web links

Individual evidence

  1. ^ Stefan Tangen, Anne Marie Warris: New format for future ISO management system standards. In: iso.org. July 18, 2012, accessed December 6, 2013 .